Phobos Ransomware (<ID>-<id***8 random>.[<email>].phobos) Support

Sorry, I misread the assembly. It actually reads a "k.txt" file from the current directory where the executable ran, and deletes it right after reading it, so it is likely not there anymore - you may be able to try using Recuva to recover it though, it is not a secure delete from what I can tell.

 

I'm not sure the significance of this file yet, but the malware refuses to run if the file is not present, or if it is not exactly 16 bytes long. It may just be a key to unpack the real executable, as I do see a function for a non-standard TEA decryption routine.

 

Sorry, I misread the assembly. It actually reads a "k.txt" file from the current directory where the executable ran, and deletes it right after reading it, so it is likely not there anymore - you may be able to try using Recuva to recover it though, it is not a secure delete from what I can tell.

 

I'm not sure the significance of this file yet, but the malware refuses to run if the file is not present, or if it is not exactly 16 bytes long. It may just be a key to unpack the real executable, as I do see a function for a non-standard TEA decryption routine.

well I got home, looking for it already, gonna try to recover it if it not there.

@demonslay335 all the files found have mess-up names I will try to discover the right one.

So this Ransomware targets shared Drives, probably the one that is used most often....  What is the best way, if you had a network of 100 computers to find which one is infected. Also where is the best place to get a copy of phobos for analysis

So the phobos ransomware encrypts a shared drive... If you have 100 computers on a network, and one machine is infected and is encrypting a shared drive.. What would be the best way to find the one infected machine?,,   Also where is the best place to get a copy of the phobos virus for analysis

@chrisdclarke im trying to find at my desktop a copy of it! My THESIS PROJECT is encrypted, must to recover it!

....  What is the best way, if you had a network of 100 computers to find which one is infected.

The owner (username) of the encrypted files is usually a good indicator of what user account was running (whose account was hit) since encrypted files typically keep the original owner that was logged in when the infection was contracted. The names of other file owners are also typically changed to the user whose account was infected.

Right-clicking on a ransom note, choosing Properties > Details tab should identify the file owner (username) and computer/workstation.

...where is the best place to get a copy of phobos for analysis

One of the primary goals of Bleeping Computer is to assist victims of malware infection with removal and to prevent the spread of malicious programs, not encourage them. Therefore, we will not provide public links to malware samples or malicious sites where infections have been contracted and spread. Others reading this topic may use the information for nefarious purposes or an unwitting novice or curious reader may accidentally click a link and end up infecting their own computer.

For those and other obvious reasons, we are not going to provide more specific information in a public forum. There are a number of sites which specialized in malware samples where questions like yours can be asked. You can register at Hybrid Analysis, MALWR Analysis and VirusShare. If looking for crypto malware (file encrypting ransomware) and related files, you can also try contacting the MalwareHunterTeam directly or via Twitter.

I found a past called TASKMGR with some files inside, they are encripted too and have files inside with this names:

I found a past called TASKMGR with some files inside, they are encripted too and have files inside with this names:

I found a past called TASKMGR with some files inside, they are encripted too and have files inside with this names:

@demonslay355 i have tried RECUVA and 2 more record programs, but I can't find the "k.txt" dammit 

Good Morning, i restored a backup after being infected, sent some files encrypted and originals with the note and what i think was the downloader.

 

If you need anything else let me know.

 

@chrisdclarke im trying to find at my desktop a copy of it! My THESIS PROJECT is encrypted, must to recover it!

 

Good Morning Architectt ,,    alot of Ransomware only encrypts the Registry Keys, or the ability of Windows to Find the file, I dont know if this is the case with Phobos, but in the past ive been able to recover "encrypted files",  by running the computer on a bootable linux drive...  Kali or Parrot, now youve indicated that the file names will be a jumbed mess, but what I did was searched the folder for the name of the file ie thesis.txt,   it would find it in  AAAXX/jlkjlkj/somerandom/thesis.txt    ..  and then transfer it to a thumb drive..     you can also work backwards and get more files....  But the process is tedious and you need the file name...   In the case i worked on before, I was successful...    Hopefully you can retrieve your thesis....       

@Beg-Spear

 

Where did you "send" these files? There is nothing uploaded by you to the MRC ransomware submission channel.

 

We mostly need the malware itself in order to analyze still. Please zip up the executable and any suspicious files with it and upload here: https://www.bleepingcomputer.com/submit-malware.php?channel=168

 

....  What is the best way, if you had a network of 100 computers to find which one is infected.

The owner (username) of the encrypted files is usually a good indicator of what user account was running (whose account was hit) since encrypted files typically keep the original owner that was logged in when the infection was contracted. The names of other file owners are also typically changed to the user whose account was infected.

Right-clicking on a ransom note, choosing Properties > Details tab should identify the file owner (username) and computer/workstation.

 

 

Thank you for your help Quietman7